427 Botnet fm qxd

The stolen credentials are then uploaded to an FTP server maintained by
the botnet controller. Botherders maintain elaborate statistics about the cre-
dentials stolen and where they come from. Figures 3.2 and 3.3 show statistics
about the origins of credentials gathered by a botnet.
The botnet controller can then steal the user’s credentials and steal their
financial information and money, as well as potentially perform an identity
theft. In essence, these C&Cs, which are called drop zones, will record all cre-
dentials, no matter for what Web site, and feed them directly to the criminals
on the other end.
Some more advanced drop zones also provide with instructions, such as,
“If the user surfs to www.mybank.com, use this signature to steal only the
information we need!” Or even more advanced, “automatically send the
selected information in, so that we can direct you to change the user’s trans-
action on the fly, in real time, and send it instead to our account.”
Figure 3.2
Origins of Credentials Gathered by a Botnet
www.syngress.com
88
Chapter 3 • Alternative Botnet C&Cs
427_Botnet_03.qxd 1/8/07 11:56 AM Page 88

Figure 3.3
Bot Statistics 
Although these banking and phishing bots’ drop zones do not answer the
pure definition of what a C&C does, they are indeed a control channel, and
one that is a lot more live and active than most C&Cs of other types.
FTP is not the only protocol used for drop zones, but it is a leading one.
Some more information about economic uses for botnets can be found in
the following article:
www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf.
Advanced DNS-Based Botnets
As we already discussed, DNS is used as a layer of obfuscation and security for
botnet C&Cs, providing redundancy and robustness, rather than serving as the
control channel itself. So far we discussed the trivial concepts of using the
DNS to represent IP addresses (as it was meant to), and multihoming,

Download 6,98 Mb.

Do'stlaringiz bilan baham: